"File-based domain validation was less secure; one dangling DNS record or webserver mis-configuration is all it takes to hijack a certificate.
The remaining domain control validation (DCV) methods for my organization have been reduced to two options: DNS TXT records and email-based validation.
DNS validation is a decent and secure option in an organization where DNS management access is tightly controlled.
A recent change aims to thwart BGP hijacking and DNS spoofing attacks.
Indeed, there are CA consulting services that will offer to "bring PKI and DNS together to validate domain ownership and issue certificates without manual DNS record updates"."
This CA-based, i.e., third-party-based, "Web PKI" appears to depend heavily on the ICANN DNS. But in ICANN DNS the authoritative nameservers are not required to accept encrypted queries or send encrypted responses
In this ICANN DNS upon which "Web PKI" depends, specifically the system of authoritative nameservers, there is no encryption, only authentication, and it is not mandatory for all nameservers. Even more, the setup and maintenance of this authentication system for the data^1 served by these nameservers (DNSSEC) is as difficult if not more than the CA-issued certificates system for networked computers that the blog post is complaining about^2
1. Nevermind the authentication of the computers serving the zone data
The remaining domain control validation (DCV) methods for my organization have been reduced to two options: DNS TXT records and email-based validation.
DNS validation is a decent and secure option in an organization where DNS management access is tightly controlled.
A recent change aims to thwart BGP hijacking and DNS spoofing attacks.
Indeed, there are CA consulting services that will offer to "bring PKI and DNS together to validate domain ownership and issue certificates without manual DNS record updates"."
This CA-based, i.e., third-party-based, "Web PKI" appears to depend heavily on the ICANN DNS. But in ICANN DNS the authoritative nameservers are not required to accept encrypted queries or send encrypted responses
In this ICANN DNS upon which "Web PKI" depends, specifically the system of authoritative nameservers, there is no encryption, only authentication, and it is not mandatory for all nameservers. Even more, the setup and maintenance of this authentication system for the data^1 served by these nameservers (DNSSEC) is as difficult if not more than the CA-issued certificates system for networked computers that the blog post is complaining about^2
1. Nevermind the authentication of the computers serving the zone data
2. https://ianix.com/pub/dnssec-outages.html